Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

ChainShell

ChainShell is a JavaScript and Node.js implant documented by JUMPSEC as part of a campaign linked to the Iranian state-sponsored threat group MuddyWater. It is deployed by a PowerShell loader identified as reset.ps1 and functions by resolving its command-and-control address from an Ethereum smart contract, then retrieving next-stage JavaScript code for execution on compromised hosts. The malware communicates over AES-encrypted WebSocket channels. Reporting states that ChainShell was observed within a broader threat cluster that also included CastleRAT-related tooling, with a misconfigured command-and-control server exposing both custom Iranian tooling and TAG-150 CastleRAT samples. Attribution in the reporting was supported by SSL.com code-signing certificates issued to "Amy Cherne," previously linked to MuddyWater's StageComp tool, and hardcoded JSON Web Token campaign identifiers matching the "Smokest" operation. The campaign was associated with Israeli targets, and the likely targeting focus mentioned in the reporting includes government and defense sectors. The content also notes that MuddyWater appeared to be operating as a paying customer of a Russian malware-as-a-service ecosystem, complicating attribution and triage.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

The novel ChainShell payload, a JavaScript and Node.js implant, retrieves its C2 address from an Ethereum smart contract and communicates via AES-encrypted WebSocket channels.

via scworldscworld.com
GrayBravo

Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell, which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised hosts.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059.001PowerShellEvidence1
TacticExecution

Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell...

T1059.007JavaScriptEvidence1
TacticExecution

...a previously undocumented JavaScript-based malware called ChainShell, which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised hosts.

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence2
TacticCommand and Control

The novel ChainShell payload, a JavaScript and Node.js implant, retrieves its C2 address from an Ethereum smart contract and communicates via AES-encrypted WebSocket channels.

T1071.001Web ProtocolsEvidence1
TacticCommand and Control

...communicates via AES-encrypted WebSocket channels.

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell, which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised hosts.

T1568Dynamic ResolutionEvidence2
TacticCommand and Control

The novel ChainShell payload, a JavaScript and Node.js implant, retrieves its C2 address from an Ethereum smart contract...

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
huntio blogNews
Apr 21, 2026
DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers

A Node.js agent in the same threat cluster that resolves command-and-control infrastructure via an Ethereum smart contract. The content notes no shared code with DinDoor.

Read more
scworldNews
Apr 13, 2026
MuddyWater pays for Russian CastleRAT malware | brief | SC Media

A JavaScript and Node.js implant used in the documented campaign; it retrieves command-and-control infrastructure from an Ethereum smart contract and uses AES-encrypted WebSocket communications.

Read more
the hacker newsNews
Apr 8, 2026
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

Previously undocumented JavaScript-based malware that uses an Ethereum smart contract to retrieve C2 information and fetch next-stage payloads.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.